FOI release

Hardware and software used by SIA staff

Published 17 September 2024

Request

Under the Freedom of Information Act, I would request you to respond to questions included in the attachment. For any reason if you are unable to open the attachment do let me know. I can then send the questions within the email itself.

Please note: If you do not have records relating to the questions in the attachment, please pass on this request to your IT department to provide us with the required information.

Response

I can confirm that the SIA does hold the information you have requested in respect of questions 1 (up to row 12C), 2, and 3. Answers to these questions have been provided in the attached spreadsheet as requested.

In respect of question 1, row 13C and question 4, this information is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000. Section 31 of the FOIA relates to Law Enforcement, and section 31(1)(a) relates to the prevention and detection of crime on the basis that the SIA, as a public body, is not required to provide information that would be likely prejudice the functions of law enforcement.

The SIA is of the view that releasing the information would increase the likelihood of individuals using that information to target attacks against the SIA systems, e.g. if they had knowledge of vulnerabilities, then attacks could be focused on those vulnerabilities. It is crucial to the SIA that it does not do anything that would allow the personal data it holds to be accessed illegally. Also, providing information on the robustness of its systems may enable other more vulnerable organisations to be targeted.

Although the bona fides of the request may be genuine, FOI responses are public information available to anyone. Section 31(1)(a) is a qualified exemption, so we have gone on to perform a public interest test to assess the public interest arguments for and against declaring whether or not the requested information is held.

In applying this exemption, we have had to balance the public interest in withholding the information against the interest in favour of disclosure.

Factors in favour of disclosure:

• Confirmation of possession would demonstrate a commitment to transparency with regard to the SIA’s undertakings, and could provide assurance that the SIA has robust IT infrastructures in place

Factors in favour of withholding:

• Maintaining the integrity and security of the SIA’s systems
• Preventing cyber-attacks and similar against the SIA’s systems
• Revealing whether or not the information requested is held or applicable to the SIA would be likely to offer cyber criminals insight into not only the strengths of the SIA’s cyber security but also any potential weaknesses that may exist. This could ultimately result in a future cyber-attack. One of the reasons that cyber security measures are in place is to protect the integrity of personal and sensitive personal information.
• It is clear to see how the occurrence of a future cyber-attack would prejudice the SIA’s legal duty to safeguard personal information from loss, theft, inappropriate access, or destruction, which is why Section 31 has been employed in this case.
• A cyber-attack could have catastrophic consequences for SIA services for licence holders and applicants exacerbated by the dependence on these services at a time of a national emergency from Covid-19.

On balance the public interest in maintaining the exemption outweighs that in confirming or denying whether information is held and therefore the SIA neither confirms nor denies whether this information is held. In all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

[Ref: FOI 0527]